FIDO2 Authenticator Metadata
FIDO2 authenticator metadata can be managed in two distinct manners depending on the specific customer needs. The differences are as follows:
Feature | FIDO Alliance Metadata Service | Local authenticator metadata |
---|---|---|
Metadata updates | automated, monthly | manual |
Metadata endpoint root certificate validation | ✅ | - |
Certificate chain validation | ✅ | ❌ |
Certificate revocation list check (CRL) | ✅ | ❌ |
Attestation root certificate validation | ✅ | ✅ |
Authenticator allow-listing | ✅ | ✅ |
MDS3 - FIDO Alliance Metadata Service
nevisFIDO supports the official FIDO Alliance Metadata Service providing organizations deploying FIDO Authentication with a centralized and trusted source of information about FIDO authenticators.
- Nevis recommends using the official MDS3 service for most use cases and scenarios.
- Usually it's sufficient to use singular official MDS3 metadata endpoint
https://mds3.fidoalliance.org/
. In case you have special needs, additional URLs can be configured. - The metadata root certificate is required in the nevisFIDO configuration to ensure metadata endpoints are trusted.
Caching and reloading
The nevisFIDO component caches and updates the retrieved metadata according to the specification. It uses the nextUpdate
attribute of the JWT BLOB for scheduling as well as a minimum (1 day) and maximum (30 days) caching period.
In the event of a failure to retrieve data from the defined endpoint URLs the system will retry reloading the cache at a configurable interval which defaults to 10 minutes.
The nevisFIDO component will start up successfully even failing to load the MDS3 data from the defined endpoint URLs.
A failure in loading the MDS3 data is indicated in the component log as warning: Failed to refresh MetadataBLOB from MDS3 endpoint
.
We consider improving the readiness endpoint in the future to indicate component readiness based on successful metadata retrieval.
How to configure the metadata service
Configuring the metadata service is straightforward:
- Visit FIDO Alliance Metadata Service
- Download the root certificate
- Configure the metatadata URL in nevisFIDO
- Configure the truststore in nevisFIDO
- Add the root certificate to the truststore
Using nevisAdmin4 simplifies the configuration process.
Local authenticator metadata
As an alternative to the official metadata provided by the FIDO alliance, you are able to use local metadata files.
Local authenticator metadata is trusted, therefore no additional checks are performed regarding the certificate chain or the certificate revocation lists. As the local authenticator metadata is not fetched from a remote endpoint, a root certificate validation is not necessary.
Local metadata files are supported in two formats:
- "Plain" JSON files containing the authenticator metadata. The structure either has to be a single
metadataStatement
object or an array ofmetadataStatement
objects. - As BLOB - for example when directly downloaded from the FIDO Alliance Metadata Service.
In addition, you have three choices in how to provide the metadata:
- Providing a path to a directory. This is useful if you want to store multiple individual metadata files.
- Providing a path to a metadata file directly in case you only have one specific metadata file or BLOB.
- Providing the metadata inline as part of the nevisFIDO YAML file. Only a JSON array of
metadataStatement
objects is supported even if a single object is supplied.
Using FIDO2 Authenticator allow-listing
If you're an integrator wanting to use the FIDO2 allow-listing feature you'll generally have to execute the following steps:
Step 2 and 3 are optional as nevisFIDO supports directly using MDS3 BLOBs as local file system based metadata sources. Use these steps if you want to strip or simplify a BLOB.
Download the latest FIDO Alliance Metadata BLOB from the official FIDO Alliance Metadata Service.
Decode the JWT blob with tools of your choice. For example with the following bash function using the JQ utility:
JWT Decode functionjwt-decode() {
jq -R 'split(".") |.[0:2] | map(gsub("-"; "+") | gsub("_"; "/") | gsub("%3D"; "=") | @base64d) | map(fromjson)' <<< $1
}Example usagejwt-decode `cat blob.jwt` > fido-metadata.json
Extract the metadata entries of your authenticators to a new JSON file. You can "strip out"/simplify the entry as only the
"aaguid"
and"attestationRootCertificates"
are strictly required. We recommend keeping the"description"
as well to easier distinguish the metadata records.Provide the JSON file as configuration option of the nevisFIDO component in the
fido2.metadata.path
property and enable the allow-listing by settingfido2.metadata.allow-listing-enabled
totrue
. This can be done in the FIDO2 Instance pattern. Don't forget to restart/redeploy the nevisFIDO instance.In the FIDO2 onboarding pattern set the Attestation to
direct
.